Schadenfreude and Shame in Security

December 23, 2014

Hype, opportunists, and bad ideas are getting the spotlight after the massive breach of Sony Pictures. Most of us observers are sitting back and enjoying the schadenfreude of it all. For the general population that’s an understandable reaction; for those of us in the Information Security community it’s shameful.

Rather than take proactive, positive steps, we have sat on Twitter and watched as Sony and the Government have clumsily fumbled the situation. We often think we know what’s best, yet when our expertise would be most useful, most of us lurk in the background, sniggering to each other in our smug superiority.

In abdicating our role as ambassadors of technical literacy, we allow the story to be shaped by others. Often, those who run into the spotlight during these types of events are not experts or advocates for rational approaches, but opportunists promoting a specific agenda. The absence of a voice of reason from our community leaves a deafening silence. But don’t worry, we’ll fill that void with complaints once a solution has been enacted and we see that it won’t work.

Instead, the information security community should be engaging in the media and geopolitical discussions, injecting real solutions to solving systemic issues. We should be raising questions and bringing to light topics such as

Opportunism and fear mongering by politicians and our own industry.

Vandalism portrayed as terrorism.

The inadequacy of traditional investigative methods in cybercrime.

Statements, statistics, accusations, and claims made without supporting evidence, references, or credibility that go unchallenged.

Pre-determined attribution in hacking and geopolitics.

A geopolitical reaction to issues stemming from poor corporate oversight.

The hypocrisy of calling an attack on a film studio terrorism, while admitting to attacking military and government networks (hat tip to Jericho).

The information security industry taking $75B per year (according to Gartner) from the global economy without reduction in frequency or severity of information security incidents.

There isn’t one way to engage in the discussion, or to bring these issues (or others – and there are many others) out. However, there is a single way to fail at doing it, and that’s to fail to try. We, in the information security community, could have a great deal of influence if we chose to. When the world is powered by computers and software, those who know how to control those technologies have great power. But with great power comes great responsibility. Use it. Wisely.

UPDATE: @MarnixDekker points out that these are not really technology issues. But I counter that’s exactly the point. Why do we build technology of not to solve societal and human scale issues? If we are creating technology to its own end, others will use it as their means. We have seen where that leads, and it’s not a mistake we should be eager to make, nor naive enough to think won’t happen.